mirror of
https://github.com/tendermint/tendermint.git
synced 2026-01-07 13:55:17 +00:00
1f0cf7762b
* Initial commit * Add three timeouts and align pseudocode better with existing algorithm * Align protocol with Tendermint code and add find valid value mechanism * Prepare to Nuke Develop (#47) * state -> step * vote -> v * New version of the algorithm and the proof * New version of the algorithm and the proofs * Added algorithm description * Add algorithm description * Add introduction * Add conclusion * Add conclusion file * fix warnings (caption was defined twice) - only the latter is used anyways (centers captions) - this makes it possible to autom. building the paper * Update grammar * s/state_p/step_p * Address Ismail's comments * intro: language fixes * definitions: language fixes * consensus: various fixes * proof: some fixes * try to improve reviewability * \eq -> = * textwrap to 79 * various minor fixes * proof: fix itemization * proof: more minor fixes * proof: timeouts are functions * proof: fixes to lemma6 * Intro changes and improve title page * Add Marko and Ming to acks * add readme * Format algorithm correctly Clarify condition semantic and timeouts Improve descriptions * patform -> platform * Ensure that rules are mutually exclusive - various clarifications and small improvements * Release v0.6 * small nits for smoother readability * This PR is to create signed commits to be able to merge (#50) Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Add consesnus and blockchain specs, (#52) - Open questions - Do we want to split lite client work from consesnsus - From the blockchain spec, is encoding nessecary in the spec Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Add ABCI SPEC (#51) - move the abci spec from tendermint to spec repo Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * spec/consensus/signing: add more details about nil and amnesia (#54) - Add more details about nil votes and about amnesia attacks Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Add Section for P2P (#53) * Add Section for P2P - moved over the section on p2p Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * add some more files Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Fix model section * Add non-recursive specification of Bisection algorithm - Fix timing issues by introducing Delta parameter * spec: update spec with tendermint updates (#62) * spec: update spec with tendermint updates - this in preperation of deleting the spec folder in docs in tendermint/tendermint Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * spec: added in reactors & p2p Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * spec: update readme in spec to comply with docs site Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * docs: addded more changes from tednermint/tendermint Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * reflect breaking changes made to Commit (#63) * reflect breaking changes made to Commit PR: https://github.com/tendermint/tendermint/pull/4146 Issue: https://github.com/tendermint/tendermint/issues/1648 * types: rename Commit#Precommits to Signatures * update BlockIDFlagAbsent comment * remove iota * Clean up error conditions and simplify pseudocode * Apply suggestions from code review Co-Authored-By: Anca Zamfir <ancazamfir@users.noreply.github.com> * Add spec doc about unconditional_peer, persistent_peers_max_dial of ADR-050 (#68) * Add spec doc about unconditional_peer_ids, persistent_peers_max_dial_period of ADR-050 * Add indefinitely dialing condition * Add sr25519 amino documentation (#67) * sr25519 amino * Update spec/blockchain/encoding.md Co-Authored-By: Marko <marbar3778@yahoo.com> * some suggestions for pseuodocode changes * Improved error handling * Add explanation on difference between trusted models * Address reviewer's comments * Addressing reviewer's comments * Separating algorithm from proofs * Intermediate commit (aligning spec with the code) * Removing Store from API and providing end-to-end timing guarantees * Address reviewer comment's. Intermediate commit * light client dir and readmes * titles * add redirects * add diagram * detection TODO * fix image * update readme * Aligh the correctness arguments with the pseudocode changes * lite->light * Fix link in readme ./light -> ./light-client * p2p: Merlin based malleability fixes (#72) * Update the secret connection spec with the use of merlin to eliminte handshake malleability * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> * Update spec/p2p/peer.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> * docs: update specs to remove cmn (#77) - cmn was remvoed in favor of sub pkgs. cmn.kvpair is now kv.pair Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * evidence: Add time to evidence params (#69) * evidence: Add time to evidence params - this pr is grouped together with https://github.com/tendermint/tendermint/pull/4254, once that PR is merged then this one can be as well. Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * remove note Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Apply suggestions from code review Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> * update link to the pex reactor * add markdown link checker * changed tab spacing * removed folder-path flag * first attempt at fixing all links * second attempt at fixing all links * codeowners: add code owners (#82) * codeowners: add code owners - added some codeowners please comment if youd like to be added as well. Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * remove comment of repo maintainers * remove .idea dir (#83) Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * RFC-001: configurable block retention (#84) * Added RFC for truncated block history coordination * Clarified minimum block retention * Added hard checks on block retention and snapshot interval, and made some minor tweaks * Genesis parameters are immutable * Use local config for snapshot interval * Reordered parameter descriptions * Clarified local config option for snapshot-interval * rewrite for ABCI commit response * Renamed RFC * add block retention diagram * Removed retain_blocks table * fix image numbers * resolved open questions * image quality * accept RFC-001 (#86) * abci: add basic description of ABCI Commit.ResponseHeight (#85) Documentation for block pruning, once it's merged: tendermint/tendermint#4588. Minimum documentation, for now - we probably shouldn't encourage using this feature too much until we release state sync. * abci: add MaxAgeNumBlocks/MaxAgeDuration to EvidenceParams (#87) * abci: update MaxAgeNumBlocks & MaxAgeDuration docs (#88) * document state sync ABCI interface and P2P protocol (#90) The corresponding Tendermint PRs are tendermint/tendermint#4704 and tendermint/tendermint#4705. * Revert "document state sync ABCI interface and P2P protocol (#90)" (#92) This reverts commit9842b4b0fb. * blockchain: change validator set sorting method (#91) * abci: specify sorting of RequestInitChain.Validators * blockchain: change validator sorting method Refs https://github.com/tendermint/tendermint/issues/2478 * reactors/pex: specify hash function (#94) https://github.com/tendermint/tendermint/pull/4810/files * document state sync ABCI interface and P2P protocol (#93) * Revert "Revert "document state sync ABCI interface and P2P protocol (#90)" (#92)" This reverts commit90797cef90. * update with new enum case * fix links Co-authored-by: Erik Grinaker <erik@interchain.berlin> * Update evidence params with MaxNum (#95) evidence params now includes maxNum which is the maximum number of evidence that can be committed on a single block * reactors/pex: masked IP is used as group key (#96) * spec: add ProofTrialPeriod to EvidenceParam (#99) * spec: modify Header.LastResultsHash (#97) Refs: https://github.com/tendermint/tendermint/issues/1007 PR: https://github.com/tendermint/tendermint/pull/4845 * spec: link to abci server implementations (#100) * spec: update evidence in blockchain.md (#108) now evidence reflects the actual evidence present in the tendermint repo * abci: add AppVersion to ConsensusParams (#106) * abci: tweak node sync estimate (#115) * spec/abci: expand on Validator#Address (#118) Refs https://github.com/tendermint/tendermint/issues/3732 * blockchain: rename to core (#123) * blockchain: remove duplicate evidence sections (#124) * spec/consensus: canonical vs subjective commit Refs https://github.com/tendermint/tendermint/issues/2769 * Apply suggestions from code review Co-authored-by: Igor Konnov <igor.konnov@gmail.com> * update spec with the removal of phantom validator evidence (#126) * bring blockchain back * add correct links * spec: revert event hashing (#132) * Evidence time is sourced from block time (#138) * RFC-002: non-zero genesis (#119) * abci: add ResponseInitChain.app_hash (#140) * update hashing of empty inputs, and initial block LastResultsHash (#141) * update evidence verification (#139) * accept RFC-002 (#142) * add description of arbitrary initial height (#135) * update ResponseInitChain.app_hash description (#143) * remove unused directories and update README (#145) This change removes unused directories (`papers` and `research`) and updates the README to reflect our strategy for merging the informalsystems/tendermint-rs specs into this repository. Partially addresses #121. * ci: add markdown linter (#146) * ci: add dependabot config (#148) * build(deps): bump gaurav-nelson/github-action-markdown-link-check from 0.6.0 to 1.0.7 (#149) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 0.6.0 to 1.0.7. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: add sections to abci (#150) * spec: update abci events (#151) * spec: extract light-client to its own directory (#152) Co-authored-by: Callum Waters <cmwaters19@gmail.com> * spec: remove evidences (#153) * add a stale bot (#134) * Current versions of light client specs from tendermint-rs (#158) * current versions of light client specs from tendermint-rs * markdown lint * linting * links * links * links Co-authored-by: Marko Baricevic <marbar3778@yahoo.com> * Fastsync spec from tendermint-rs (#157) * fastsync spec from tendermint-rs * fixed broken link * fixed linting * more fixes * markdown lint * move fast_sync to rust-spec Co-authored-by: Marko Baricevic <marbar3778@yahoo.com> * Update README.md (#160) * spec/reactors/mempool: batch txs per peer (#155) * spec/reactors/mempool: batch txs per peer Refs https://github.com/tendermint/tendermint/issues/625 * update * spec: Light client attack detector (#164) * start with new detection and evidence spec * more definitions at top * sketch of functions * pre post draft * evidence proof * typo * evidence theory polished * some TODOs resolved * more TODOs * links * second to last revision before PR * links * I will read once more and then make a PR * removed peer handling definitions * secondary * ready to review * detector ready for review * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * Update rust-spec/lightclient/detection/detection.md * skip-trace * PossibleCommit explained * Update rust-spec/lightclient/detection/detection.md Co-authored-by: Zarko Milosevic <zarko@informal.systems> * comments by Zarko * renamed and changed link in README Co-authored-by: Zarko Milosevic <zarko@informal.systems> * fixed an overlooked conflict (#167) * describe valset sorting according to v0.34 requirements (#169) * evidence: update data structures (#165) * fix markdown linter (#172) * TLA+ specs from MBT revision (#173) * remove setOption (#181) * spec: protobuf changes (#156) Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> * first check latest with secondary (#184) * Extending the blockchain specification (in the light client) to produce different ratios of faults (#183) * cleaning unused definitions * introduced the ratio of faulty processes * Update README.md (#185) * build(deps): bump gaurav-nelson/github-action-markdown-link-check from 1.0.7 to 1.0.8 (#188) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.7 to 1.0.8. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.7...e3c371c731b2f494f856dc5de7f61cea4d519907) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * spec: update light client verification to match supervisor (#171) * VDD renaming of verification spec + links fixed * latest() * backwards * added TODOs * link in old file to new name * better text * revision done. needs one more round of reading * renamed constants in 001 according to TLA+ and impl * ready for PR * forgot linting * Update rust-spec/lightclient/verification/verification_002_draft.md * Update rust-spec/lightclient/verification/verification_002_draft.md * added lightstore function needed for supervisor * added lightstore functions for supervisor * ident * Update rust-spec/lightclient/verification/verification_002_draft.md * github: issue template for proposals (#190) * Sequential Supervisor (#186) * move from tendermint-rs but needs discussion * markdown lint * TODO links replaced * links * links * links lint * Update rust-spec/lightclient/supervisor/supervisor.md * Update rust-spec/lightclient/supervisor/supervisor.md * Update rust-spec/lightclient/supervisor/supervisor.md * Update rust-spec/lightclient/supervisor/supervisor.md * moved peer handling definitions to supervisor * polishing * rename * Update rust-spec/lightclient/supervisor/supervisor_001_draft.md * Update rust-spec/lightclient/supervisor/supervisor_001_draft.md * changes to maintain StateVerified again * ready for changes in verification * start of supervisor * module name * fixed * more details * supevisor completed. Now I have to add function to verification * ready for review * tla comment * removed issues * Update rust-spec/lightclient/supervisor/supervisor_001_draft.md * intro text fixed * indentation * Update rust-spec/lightclient/supervisor/supervisor_001_draft.md * comment to entry points Co-authored-by: Marko Baricevic <marbar3778@yahoo.com> * RFC: adopt zip 215 (#144) Co-authored-by: Robert Zaremba <robert@zaremba.ch> * Core: move validation & data structures together (#176) Co-authored-by: Callum Waters <cmwaters19@gmail.com> * docs: make blockchain not viewable (#211) * evidence: update data structures to reflect added support of abci evidence (#213) * encoding: add secp, ref zip215, tables (#212) * Detector English Spec ready (#215) Add detector English spec * add Ivy proofs (#210) * add Ivy proofs * fix docker-compose command * Light client detector spec in TLA+ and refactoring of light client verification TLA+ spec (#216) Add light client detector spec in TLA+ * abci: lastcommitinfo.round extra sentence (#221) * abci: add abci_version to requestInfo (#223) * BFT requires _less than_ 1/3 faulty validators (#228) Thanks fo spotting the imprecision in the text, @shahankhatch ! * Draft of evidence handling for discussion (#225) * start with accountability deliverable * problem statement * draft function * quite complete draft. ready to discuss with Igor * Update isolate-attackers_001_draft.md * Update isolate-attackers_001_draft.md * Update isolate-attackers_001_draft.md * Update isolate-attackers_001_draft.md * Update isolate-attackers_001_draft.md * ready for TLA+ to take over * isolate * isolateamnesiatodos * Update isolate-attackers_001_draft.md * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * Update rust-spec/lightclient/attacks/isolate-attackers_001_draft.md Co-authored-by: Igor Konnov <konnov@forsyte.at> * The TLA+ specification of the attackers detection (#231) * the working attackers isolation spec, needs more comments * the TLA+ spec of the attackers isolation * build(deps): bump gaurav-nelson/github-action-markdown-link-check (#233) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.8 to 1.0.11. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.8...2a60e0fe41b5361f446ccace6621a1a2a5c324cf) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Computing attack types (#232) Add light attack evidence handling * Update README.md (#234) * p2p: update frame size (#235) Reflect the change made in https://github.com/tendermint/tendermint/pull/5805 The MTU (Maximum Transmission Unit) for Ethernet is 1500 bytes. The IP header and the TCP header take up 20 bytes each at least (unless optional header fields are used) and thus the max for (non-Jumbo frame) Ethernet is 1500 - 20 -20 = 1460 Source: https://stackoverflow.com/a/3074427/820520 * build(deps): bump gaurav-nelson/github-action-markdown-link-check (#239) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.11 to 1.0.12. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.11...0fe4911067fa322422f325b002d2038ba5602170) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * layout: add section titles (#240) * reactors: remove bcv1 (#241) * abci: rewrite to proto interface (#237) * Update supervisor_001_draft.md (#243) * spec: remove reactor section (#242) Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> * non-critical bugfix in the TLA+ spec (found by new version of apalache) (#244) * params: remove block timeiota (#248) * proto: add files (#246) Co-authored-by: Erik Grinaker <erik@interchain.berlin> * proto: modify height int64 to uint64 (#253) * abci: note on concurrency (#258) Co-authored-by: Marko <marbar3778@yahoo.com> * spec: merge rust-spec (#252) * Fix list of RFCs (#266) * readme: cleanup (#262) * modify readme * add rfc and proto * add rust=spec back to avoid breakage * lint readme * genesis: Explain fields in genesis file (#270) * describe the genesis * Update spec/core/genesis.md Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Callum Waters <cmwaters19@gmail.com> * add wording on app_state * Update spec/core/genesis.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * p2p: links (#268) * fix links * fix more links * Proposer-based timestamp specification (#261) * added proposer-based timestamp spec * Update spec/consensus/proposer-based-timestamp/pbts_001_draft.md Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com> * Update spec/consensus/proposer-based-timestamp/pbts_001_draft.md Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com> * Update spec/consensus/proposer-based-timestamp/pbts-algorithm_001_draft.md Co-authored-by: Marko <marbar3778@yahoo.com> * Update spec/consensus/proposer-based-timestamp/pbts-algorithm_001_draft.md * Update spec/consensus/proposer-based-timestamp/pbts-sysmodel_001_draft.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> * fixes from PR Co-authored-by: Josef Widder <44643235+josef-widder@users.noreply.github.com> Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com> Co-authored-by: Marko <marbar3778@yahoo.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * abci: reorder sidebar (#282) * ABCI++ RFC (#254) * ABCI++ RFC This commit adds an RFC for ABCI++, which is a collection of three new phases of communication between the consensus engine and the application. Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch> * Fix bugs pointed out by @liamsi * Update rfc/004-abci++.md Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com> * Fix markdown lints * Update rfc/004-abci++.md Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> * Update rfc/004-abci++.md Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> * Update rfc/004-abci++.md Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> * Add information about the rename in the context section * Bold RFC * Add example for self-authenticating vote data * More exposition of the term IPC * Update pros / negatives * Fix sentence fragment * Add desc for no-ops Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch> Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com> Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> * RFC: ReverseSync - fetching historical data (#224) * core: update a few sections (#284) * p2p: update state sync messages for reverse sync (#285) * Update README.md (#286) * rpc: define spec for RPC (#276) * add rpc spec and support outline * add json * add more routes remove unneeded ones * add rest of rpc endpoints * add jsonrpc calls * add more jsonrpc calls * fix blockchain * cleanup unused links and add links to repos * Update spec/rpc/README.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> * add missing param from consensus param * Update spec/rpc/README.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> * Update spec/rpc/README.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> * fix cast and add doc to readme Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Marko Baricevic <markobaricevic@Fergalicious.local> * A few improvements to the Ivy proof (#288) * Avoid quantifier alternation cycle The problematic quantifier alternation cycle arose because the definition of accountability_violation was unfolded. This commit also restructures the induction proof for clarity. * add count_lines.sh * fix typo and add forgotten complete=fo in comment Co-authored-by: Giuliano <giuliano@eic-61-11.galois.com> * Fixed a broken link (#291) * fix message type for block-sync (#298) * lint: fix lint errors (#301) * build(deps): bump actions/stale from 3 to 3.0.18 (#300) Bumps [actions/stale](https://github.com/actions/stale) from 3 to 3.0.18. - [Release notes](https://github.com/actions/stale/releases) - [Commits](https://github.com/actions/stale/compare/v3...v3.0.18) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/stale from 3.0.18 to 3.0.19 (#302) Bumps [actions/stale](https://github.com/actions/stale) from 3.0.18 to 3.0.19. - [Release notes](https://github.com/actions/stale/releases) - [Commits](https://github.com/actions/stale/compare/v3.0.18...v3.0.19) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * rename HasVote to ReceivedVote (#289) * add a changelog to track changes (#303) * add a changelog to track changes * Update CHANGELOG.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * rpc: clarify timestamps (#304) * clarify timestamps * changelog entry * Update spec/rpc/README.md Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * rpc: add chunked genesis endpoint (#299) * rpc: add chunked genesis endpoint * fix lint * feedback * add info about error * fix lint Co-authored-by: marbar3778 <marbar3778@yahoo.com> * update ResponseCheckTx (#306) * rpc: Add totalGasUSed to block_results response (#308) * Add C++ code generation and test scenario (#310) * add parameters to byzantine send action * make net not trusted it's not necessary since for proofs Ivy will assume that the environment does not break action preconditions * use require instead of assume it seems that assume is not checked when other isolates call! * add comment * add comment * run with random seed * make domain model extractable to C++ * substitute require for assume assumes in an action are not checked when the action is called! I.e. they place no requirement on the caller; we're just assuming that the caller is going to do the right thing. This wasn't very important here but it leade to a minor inconsistency slipping through. * make the net isolate not trusted there was no need for it * add tendermint_test.ivy contains a simple test scenario that show that the specification is no vacuuous * update comment * add comments * throw if trying to parse nset value in the repl * add comment * minor refactoring * add new pex messages (#312) * build(deps): bump gaurav-nelson/github-action-markdown-link-check (#313) Bumps [gaurav-nelson/github-action-markdown-link-check](https://github.com/gaurav-nelson/github-action-markdown-link-check) from 1.0.12 to 1.0.13. - [Release notes](https://github.com/gaurav-nelson/github-action-markdown-link-check/releases) - [Commits](https://github.com/gaurav-nelson/github-action-markdown-link-check/compare/1.0.12...1.0.13) --- updated-dependencies: - dependency-name: gaurav-nelson/github-action-markdown-link-check dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * update spec to reference currently used timestamp type (#317) * build(deps): bump actions/stale from 3.0.19 to 4 (#319) Bumps [actions/stale](https://github.com/actions/stale) from 3.0.19 to 4. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/v3.0.19...v4) --- updated-dependencies: - dependency-name: actions/stale dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * address discrepancies between spec and implementation (#322) * update proto files for release (#318) * stale bot: ignore issues (#325) * evidence: add section explaining evidence (#324) * statesync: new messages for gossiping consensus params (#328) * rpc: update peer format in specification in NetInfo operation (#331) * Update supervisor_001_draft.md (#334) * core: text cleanup (#332) * abci: clarify what abci stands for (#336) * abci: clarify what abci stands for * link to abci type protos. * abci: clarify connection use in-process (#337) * abci: clarify connection use in-process * Update abci.md * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * invert abci explanations * lint++ * lint++ * lint++ * lint++ Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * proto: move proto files under the correct directory related to their package name (#344) * abci.md fixup (#339) * abci: points of clarification ahead of v0.1.0 * lint++ * typo * lint++ * double word score * grammar * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update spec/abci/abci.md Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * pr feedback * wip * update non-zero status code docs * fix event description * update CheckTx description Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * Update supervisor_001_draft.md (#333) * Update supervisor_001_draft.md If the only node in the *FullNodes* set is the primary, that was just deemed faulty, we can't find honest primary. * Update supervisor_001_draft.md * light: update initialization description (#320) * apps.md fixups (#341) * wip * wip * wip * remove comments in favor of gh comments * wip * udpates to language, should must etc * Apply suggestions from code review Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * remove tendermint cache description Co-authored-by: M. J. Fromberger <fromberger@interchain.io> * proto: add tendermint go changes (#349) * add missed proto files * add abci changes * rename blockchain to blocksync * Update proto/tendermint/abci/types.proto Co-authored-by: Callum Waters <cmwaters19@gmail.com> Co-authored-by: Callum Waters <cmwaters19@gmail.com> * fix mockery generation script (#9094) Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> Co-authored-by: Milosevic, Zarko <zare.milosevic@gmail.com> Co-authored-by: Milosevic, Zarko <zare.milosevic@sicpa.com> Co-authored-by: Zarko Milosevic <zarko@tendermint.com> Co-authored-by: Marko <marbar3778@yahoo.com> Co-authored-by: Zarko Milosevic <zarko@interchain.io> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Anca Zamfir <ancazamfir@users.noreply.github.com> Co-authored-by: dongsamb <dongsamb@gmail.com> Co-authored-by: Sunny Aggarwal <sunnya97@gmail.com> Co-authored-by: Anca Zamfir <anca@interchain.io> Co-authored-by: Ethan Buchman <ethan@coinculture.info> Co-authored-by: Zarko Milosevic <zarko@informal.systems> Co-authored-by: Ismail Khoffi <Ismail.Khoffi@gmail.com> Co-authored-by: Zaki Manian <zaki@tendermint.com> Co-authored-by: Erik Grinaker <erik@interchain.berlin> Co-authored-by: Tess Rinearson <tess.rinearson@gmail.com> Co-authored-by: Alexander Simmerl <a.simmerl@gmail.com> Co-authored-by: Igor Konnov <igor.konnov@gmail.com> Co-authored-by: Sean Braithwaite <brapse@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Josef Widder <44643235+josef-widder@users.noreply.github.com> Co-authored-by: Andrey Kuprianov <59489470+andrey-kuprianov@users.noreply.github.com> Co-authored-by: Igor Konnov <konnov@forsyte.at> Co-authored-by: Sam Hart <sam@hxrts.com> Co-authored-by: Robert Zaremba <robert@zaremba.ch> Co-authored-by: Giuliano <giuliano@losa.fr> Co-authored-by: Shahan Khatchadourian <shahan.k.code@gmail.com> Co-authored-by: Dev Ojha <ValarDragon@users.noreply.github.com> Co-authored-by: istoilkovska <anili100@gmail.com> Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com> Co-authored-by: Sam Kleinman <garen@tychoish.com> Co-authored-by: Sunny Aggarwal <sunnya97@protonmail.ch> Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com> Co-authored-by: Marko Baricevic <markobaricevic@Fergalicious.local> Co-authored-by: Giuliano <giuliano@eic-61-11.galois.com> Co-authored-by: Jordan Sexton <jordan@jordansexton.com> Co-authored-by: MengXiangJian <805442788@qq.com> Co-authored-by: Yixin Luo <18810541851@163.com> Co-authored-by: crypto-facs <84574577+crypto-facs@users.noreply.github.com> Co-authored-by: Giuliano <giuliano@galois.com> Co-authored-by: William Banfield <4561443+williambanfield@users.noreply.github.com> Co-authored-by: Mateusz Górski <goral09@users.noreply.github.com> Co-authored-by: M. J. Fromberger <fromberger@interchain.io> Co-authored-by: Thane Thomson <connect@thanethomson.com>
281 lines
17 KiB
TeX
281 lines
17 KiB
TeX
\section{Proof of Tendermint consensus algorithm} \label{sec:proof}
|
|
|
|
\begin{lemma} \label{lemma:majority-intersection} For all $f\geq 0$, any two
|
|
sets of processes with voting power at least equal to $2f+1$ have at least one
|
|
correct process in common. \end{lemma}
|
|
|
|
\begin{proof} As the total voting power is equal to $n=3f+1$, we have $2(2f+1)
|
|
= n+f+1$. This means that the intersection of two sets with the voting
|
|
power equal to $2f+1$ contains at least $f+1$ voting power in common, \ie,
|
|
at least one correct process (as the total voting power of faulty processes
|
|
is $f$). The result follows directly from this. \end{proof}
|
|
|
|
\begin{lemma} \label{lemma:locked-decision_value-prevote-v} If $f+1$ correct
|
|
processes lock value $v$ in round $r_0$ ($lockedValue = v$ and $lockedRound =
|
|
r_0$), then in all rounds $r > r_0$, they send $\Prevote$ for $id(v)$ or
|
|
$\nil$. \end{lemma}
|
|
|
|
\begin{proof} We prove the result by induction on $r$.
|
|
|
|
\emph{Base step $r = r_0 + 1:$} Let's denote with $C$ the set of correct
|
|
processes with voting power equal to $f+1$. By the rules at
|
|
line~\ref{line:tab:recvProposal} and line~\ref{line:tab:acceptProposal}, the
|
|
processes from the set $C$ can't accept $\Proposal$ for any value different
|
|
from $v$ in round $r$, and therefore can't send a $\li{\Prevote,height_p,
|
|
r,id(v')}$ message, if $v' \neq v$. Therefore, the Lemma holds for the base
|
|
step.
|
|
|
|
\emph{Induction step from $r_1$ to $r_1+1$:} We assume that no process from the
|
|
set $C$ has sent $\Prevote$ for values different than $id(v)$ or $\nil$ until
|
|
round $r_1 + 1$. We now prove that the Lemma also holds for round $r_1 + 1$. As
|
|
processes from the set $C$ send $\Prevote$ for $id(v)$ or $\nil$ in rounds $r_0
|
|
\le r \le r_1$, by Lemma~\ref{lemma:majority-intersection} there is no value
|
|
$v' \neq v$ for which it is possible to receive $2f+1$ $\Prevote$ messages in
|
|
those rounds (i). Therefore, we have for all processes from the set $C$,
|
|
$lockedValue = v$ and $lockedRound \ge r_0$. Let's assume by a contradiction
|
|
that a process $q$ from the set $C$ sends $\Prevote$ in round $r_1 + 1$ for
|
|
value $id(v')$, where $v' \neq v$. This is possible only by
|
|
line~\ref{line:tab:prevote-higher-proposal}. Note that this implies that $q$
|
|
received $2f+1$ $\li{\Prevote,h_q, r,id(v')}$ messages, where $r > r_0$ and $r
|
|
< r_1 +1$ (see line~\ref{line:tab:cond-prevote-higher-proposal}). A
|
|
contradiction with (i) and Lemma~\ref{lemma:majority-intersection}.
|
|
\end{proof}
|
|
|
|
\begin{lemma} \label{lemma:agreement} Algorithm~\ref{alg:tendermint} satisfies
|
|
Agreement. \end{lemma}
|
|
|
|
\begin{proof} Let round $r_0$ be the first round of height $h$ such that some
|
|
correct process $p$ decides $v$. We now prove that if some correct process
|
|
$q$ decides $v'$ in some round $r \ge r_0$, then $v = v'$.
|
|
|
|
In case $r = r_0$, $q$ has received at least $2f+1$
|
|
$\li{\Precommit,h_p,r_0,id(v')}$ messages at line~\ref{line:tab:onDecideRule},
|
|
while $p$ has received at least $2f+1$ $\li{\Precommit,h_p,r_0,id(v)}$
|
|
messages. By Lemma~\ref{lemma:majority-intersection} two sets of messages of
|
|
voting power $2f+1$ intersect in at least one correct process. As a correct
|
|
process sends a single $\Precommit$ message in a round, then $v=v'$.
|
|
|
|
We prove the case $r > r_0$ by contradiction. By the
|
|
rule~\ref{line:tab:onDecideRule}, $p$ has received at least $2f+1$ voting-power
|
|
equivalent of $\li{\Precommit,h_p,r_0,id(v)}$ messages, i.e., at least $f+1$
|
|
voting-power equivalent correct processes have locked value $v$ in round $r_0$ and have
|
|
sent those messages (i). Let denote this set of messages with $C$. On the
|
|
other side, $q$ has received at least $2f+1$ voting power equivalent of
|
|
$\li{\Precommit,h_q, r,id(v')}$ messages. As the voting power of all faulty
|
|
processes is at most $f$, some correct process $c$ has sent one of those
|
|
messages. By the rule at line~\ref{line:tab:recvPrevote}, $c$ has locked value
|
|
$v'$ in round $r$ before sending $\li{\Precommit,h_q, r,id(v')}$. Therefore $c$
|
|
has received $2f+1$ $\Prevote$ messages for $id(v')$ in round $r > r_0$ (see
|
|
line~\ref{line:tab:recvPrevote}). By Lemma~\ref{lemma:majority-intersection}, a
|
|
process from the set $C$ has sent $\Prevote$ message for $id(v')$ in round $r$.
|
|
A contradiction with (i) and Lemma~\ref{lemma:locked-decision_value-prevote-v}.
|
|
\end{proof}
|
|
|
|
\begin{lemma} \label{lemma:agreement} Algorithm~\ref{alg:tendermint} satisfies
|
|
Validity. \end{lemma}
|
|
|
|
\begin{proof} Trivially follows from the rule at line
|
|
\ref{line:tab:validDecisionValue} which ensures that only valid values can be
|
|
decided. \end{proof}
|
|
|
|
\begin{lemma} \label{lemma:round-synchronisation} If we assume that:
|
|
\begin{enumerate}
|
|
\item a correct process $p$ is the first correct process to
|
|
enter a round $r>0$ at time $t > GST$ (for every correct process
|
|
$c$, $round_c \le r$ at time $t$)
|
|
\item the proposer of round $r$ is
|
|
a correct process $q$
|
|
\item for every correct process $c$,
|
|
$lockedRound_c \le validRound_q$ at time $t$
|
|
\item $\timeoutPropose(r)
|
|
> 2\Delta + \timeoutPrecommit(r-1)$, $\timeoutPrevote(r) > 2\Delta$ and
|
|
$\timeoutPrecommit(r) > 2\Delta$,
|
|
\end{enumerate}
|
|
then all correct processes decide in round $r$ before $t + 4\Delta +
|
|
\timeoutPrecommit(r-1)$.
|
|
\end{lemma}
|
|
|
|
\begin{proof} As $p$ is the first correct process to enter round $r$, it
|
|
executed the line~\ref{line:tab:nextRound} after $\timeoutPrecommit(r-1)$
|
|
expired. Therefore, $p$ received $2f+1$ $\Precommit$ messages in the round
|
|
$r-1$ before time $t$. By the \emph{Gossip communication} property, all
|
|
correct processes will receive those messages the latest at time $t +
|
|
\Delta$. Correct processes that are in rounds $< r-1$ at time $t$ will
|
|
enter round $r-1$ (see the rule at line~\ref{line:tab:nextRound2}) and
|
|
trigger $\timeoutPrecommit(r-1)$ (see rule~\ref{line:tab:startTimeoutPrecommit})
|
|
by time $t+\Delta$. Therefore, all correct processes will start round $r$
|
|
by time $t+\Delta+\timeoutPrecommit(r-1)$ (i).
|
|
|
|
In the worst case, the process $q$ is the last correct process to enter round
|
|
$r$, so $q$ starts round $r$ and sends $\Proposal$ message for some value $v$
|
|
at time $t + \Delta + \timeoutPrecommit(r-1)$. Therefore, all correct processes
|
|
receive the $\Proposal$ message from $q$ the latest by time $t + 2\Delta +
|
|
\timeoutPrecommit(r-1)$. Therefore, if $\timeoutPropose(r) > 2\Delta +
|
|
\timeoutPrecommit(r-1)$, all correct processes will receive $\Proposal$ message
|
|
before $\timeoutPropose(r)$ expires.
|
|
|
|
By (3) and the rules at line~\ref{line:tab:recvProposal} and
|
|
\ref{line:tab:acceptProposal}, all correct processes will accept the
|
|
$\Proposal$ message for value $v$ and will send a $\Prevote$ message for
|
|
$id(v)$ by time $t + 2\Delta + \timeoutPrecommit(r-1)$. Note that by the
|
|
\emph{Gossip communication} property, the $\Prevote$ messages needed to trigger
|
|
the rule at line~\ref{line:tab:acceptProposal} are received before time $t +
|
|
\Delta$.
|
|
|
|
By time $t + 3\Delta + \timeoutPrecommit(r-1)$, all correct processes will receive
|
|
$\Proposal$ for $v$ and $2f+1$ corresponding $\Prevote$ messages for $id(v)$.
|
|
By the rule at line~\ref{line:tab:recvPrevote}, all correct processes will send
|
|
a $\Precommit$ message (see line~\ref{line:tab:precommit-v}) for $id(v)$ by
|
|
time $t + 3\Delta + \timeoutPrecommit(r-1)$. Therefore, by time $t + 4\Delta +
|
|
\timeoutPrecommit(r-1)$, all correct processes will have received the $\Proposal$
|
|
for $v$ and $2f+1$ $\Precommit$ messages for $id(v)$, so they decide at
|
|
line~\ref{line:tab:decide} on $v$.
|
|
|
|
This scenario holds if every correct process $q$ sends a $\Precommit$ message
|
|
before $\timeoutPrevote(r)$ expires, and if $\timeoutPrecommit(r)$ does not expire
|
|
before $t + 4\Delta + \timeoutPrecommit(r-1)$. Let's assume that a correct process
|
|
$c_1$ is the first correct process to trigger $\timeoutPrevote(r)$ (see the rule
|
|
at line~\ref{line:tab:recvAny2/3Prevote}) at time $t_1 > t$. This implies that
|
|
before time $t_1$, $c_1$ received a $\Proposal$ ($step_{c_1}$ must be
|
|
$\prevote$ by the rule at line~\ref{line:tab:recvAny2/3Prevote}) and a set of
|
|
$2f+1$ $\Prevote$ messages. By time $t_1 + \Delta$, all correct processes will
|
|
receive those messages. Note that even if some correct process was in the
|
|
smaller round before time $t_1$, at time $t_1 + \Delta$ it will start round $r$
|
|
after receiving those messages (see the rule at
|
|
line~\ref{line:tab:skipRounds}). Therefore, all correct processes will send
|
|
their $\Prevote$ message for $id(v)$ by time $t_1 + \Delta$, and all correct
|
|
processes will receive those messages the by time $t_1 + 2\Delta$. Therefore,
|
|
as $\timeoutPrevote(r) > 2\Delta$, this ensures that all correct processes receive
|
|
$\Prevote$ messages from all correct processes before their respective local
|
|
$\timeoutPrevote(r)$ expire.
|
|
|
|
On the other hand, $\timeoutPrecommit(r)$ is triggered in a correct process $c_2$
|
|
after it receives any set of $2f+1$ $\Precommit$ messages for the first time.
|
|
Let's denote with $t_2 > t$ the earliest point in time $\timeoutPrecommit(r)$ is
|
|
triggered in some correct process $c_2$. This implies that $c_2$ has received
|
|
at least $f+1$ $\Precommit$ messages for $id(v)$ from correct processes, i.e.,
|
|
those processes have received $\Proposal$ for $v$ and $2f+1$ $\Prevote$
|
|
messages for $id(v)$ before time $t_2$. By the \emph{Gossip communication}
|
|
property, all correct processes will receive those messages by time $t_2 +
|
|
\Delta$, and will send $\Precommit$ messages for $id(v)$. Note that even if
|
|
some correct processes were at time $t_2$ in a round smaller than $r$, by the
|
|
rule at line~\ref{line:tab:skipRounds} they will enter round $r$ by time $t_2 +
|
|
\Delta$. Therefore, by time $t_2 + 2\Delta$, all correct processes will
|
|
receive $\Proposal$ for $v$ and $2f+1$ $\Precommit$ messages for $id(v)$. So if
|
|
$\timeoutPrecommit(r) > 2\Delta$, all correct processes will decide before the
|
|
timeout expires. \end{proof}
|
|
|
|
|
|
\begin{lemma} \label{lemma:validValue} If a correct process $p$ locks a value
|
|
$v$ at time $t_0 > GST$ in some round $r$ ($lockedValue = v$ and
|
|
$lockedRound = r$) and $\timeoutPrecommit(r) > 2\Delta$, then all correct
|
|
processes set $validValue$ to $v$ and $validRound$ to $r$ before starting
|
|
round $r+1$. \end{lemma}
|
|
|
|
\begin{proof} In order to prove this Lemma, we need to prove that if the
|
|
process $p$ locks a value $v$ at time $t_0$, then no correct process will
|
|
leave round $r$ before time $t_0 + \Delta$ (unless it has already set
|
|
$validValue$ to $v$ and $validRound$ to $r$). It is sufficient to prove
|
|
this, since by the \emph{Gossip communication} property the messages that
|
|
$p$ received at time $t_0$ and that triggered rule at
|
|
line~\ref{line:tab:recvPrevote} will be received by time $t_0 + \Delta$ by
|
|
all correct processes, so all correct processes that are still in round $r$
|
|
will set $validValue$ to $v$ and $validRound$ to $r$ (by the rule at
|
|
line~\ref{line:tab:recvPrevote}). To prove this, we need to compute the
|
|
earliest point in time a correct process could leave round $r$ without
|
|
updating $validValue$ to $v$ and $validRound$ to $r$ (we denote this time
|
|
with $t_1$). The Lemma is correct if $t_0 + \Delta < t_1$.
|
|
|
|
If the process $p$ locks a value $v$ at time $t_0$, this implies that $p$
|
|
received the valid $\Proposal$ message for $v$ and $2f+1$
|
|
$\li{\Prevote,h,r,id(v)}$ at time $t_0$. At least $f+1$ of those messages are
|
|
sent by correct processes. Let's denote this set of correct processes as $C$. By
|
|
Lemma~\ref{lemma:majority-intersection} any set of $2f+1$ $\Prevote$ messages
|
|
in round $r$ contains at least a single message from the set $C$.
|
|
|
|
Let's denote as time $t$ the earliest point in time a correct process, $c_1$, triggered
|
|
$\timeoutPrevote(r)$. This implies that $c_1$ received $2f+1$ $\Prevote$ messages
|
|
(see the rule at line \ref{line:tab:recvAny2/3Prevote}), where at least one of
|
|
those messages was sent by a process $c_2$ from the set $C$. Therefore, process
|
|
$c_2$ had received $\Proposal$ message before time $t$. By the \emph{Gossip
|
|
communication} property, all correct processes will receive $\Proposal$ and
|
|
$2f+1$ $\Prevote$ messages for round $r$ by time $t+\Delta$. The latest point
|
|
in time $p$ will trigger $\timeoutPrevote(r)$ is $t+\Delta$\footnote{Note that
|
|
even if $p$ was in smaller round at time $t$ it will start round $r$ by time
|
|
$t+\Delta$.}. So the latest point in time $p$ can lock the value $v$ in
|
|
round $r$ is $t_0 = t+\Delta+\timeoutPrevote(r)$ (as at this point
|
|
$\timeoutPrevote(r)$ expires, so a process sends $\Precommit$ $\nil$ and updates
|
|
$step$ to $\precommit$, see line \ref{line:tab:onTimeoutPrevote}).
|
|
|
|
Note that according to the Algorithm \ref{alg:tendermint}, a correct process
|
|
can not send a $\Precommit$ message before receiving $2f+1$ $\Prevote$
|
|
messages. Therefore, no correct process can send a $\Precommit$ message in
|
|
round $r$ before time $t$. If a correct process sends a $\Precommit$ message
|
|
for $\nil$, it implies that it has waited for the full duration of
|
|
$\timeoutPrevote(r)$ (see line
|
|
\ref{line:tab:precommit-nil-onTimeout})\footnote{The other case in which a
|
|
correct process $\Precommit$ for $\nil$ is after receiving $2f+1$ $Prevote$ for
|
|
$\nil$ messages, see the line \ref{line:tab:precommit-v-1}. By
|
|
Lemma~\ref{lemma:majority-intersection}, this is not possible in round $r$.}.
|
|
Therefore, no correct process can send $\Precommit$ for $\nil$ before time $t +
|
|
\timeoutPrevote(r)$ (*).
|
|
|
|
A correct process $q$ that enters round $r+1$ must wait (i) $\timeoutPrecommit(r)$
|
|
(see line \ref{line:tab:nextRound}) or (ii) receiving $f+1$ messages from the
|
|
round $r+1$ (see the line \ref{line:tab:skipRounds}). In the former case, $q$
|
|
receives $2f+1$ $\Precommit$ messages before starting $\timeoutPrecommit(r)$. If
|
|
at least a single $\Precommit$ message from a correct process (at least $f+1$
|
|
voting power equivalent of those messages is sent by correct processes) is for
|
|
$\nil$, then $q$ cannot start round $r+1$ before time $t_1 = t +
|
|
\timeoutPrevote(r) + \timeoutPrecommit(r)$ (see (*)). Therefore in this case we have:
|
|
$t_0 + \Delta < t_1$, i.e., $t+2\Delta+\timeoutPrevote(r) < t + \timeoutPrevote(r) +
|
|
\timeoutPrecommit(r)$, and this is true whenever $\timeoutPrecommit(r) > 2\Delta$, so
|
|
Lemma holds in this case.
|
|
|
|
If in the set of $2f+1$ $\Precommit$ messages $q$ receives, there is at least a
|
|
single $\Precommit$ for $id(v)$ message from a correct process $c$, then $q$
|
|
can start the round $r+1$ the earliest at time $t_1 = t+\timeoutPrecommit(r)$. In
|
|
this case, by the \emph{Gossip communication} property, all correct processes
|
|
will receive $\Proposal$ and $2f+1$ $\Prevote$ messages (that $c$ received
|
|
before time $t$) the latest at time $t+\Delta$. Therefore, $q$ will set
|
|
$validValue$ to $v$ and $validRound$ to $r$ the latest at time $t+\Delta$. As
|
|
$t+\Delta < t+\timeoutPrecommit(r)$, whenever $\timeoutPrecommit(r) > \Delta$, the
|
|
Lemma holds also in this case.
|
|
|
|
In case (ii), $q$ received at least a single message from a correct process $c$
|
|
from the round $r+1$. The earliest point in time $c$ could have started round
|
|
$r+1$ is $t+\timeoutPrecommit(r)$ in case it received a $\Precommit$ message for
|
|
$v$ from some correct process in the set of $2f+1$ $\Precommit$ messages it
|
|
received. The same reasoning as above holds also in this case, so $q$ set
|
|
$validValue$ to $v$ and $validRound$ to $r$ the latest by time $t+\Delta$. As
|
|
$t+\Delta < t+\timeoutPrecommit(r)$, whenever $\timeoutPrecommit(r) > \Delta$, the
|
|
Lemma holds also in this case. \end{proof}
|
|
|
|
\begin{lemma} \label{lemma:agreement} Algorithm~\ref{alg:tendermint} satisfies
|
|
Termination. \end{lemma}
|
|
|
|
\begin{proof} Lemma~\ref{lemma:round-synchronisation} defines a scenario in
|
|
which all correct processes decide. We now prove that within a bounded
|
|
duration after GST such a scenario will unfold. Let's assume that at time
|
|
$GST$ the highest round started by a correct process is $r_0$, and that
|
|
there exists a correct process $p$ such that the following holds: for every
|
|
correct process $c$, $lockedRound_c \le validRound_p$. Furthermore, we
|
|
assume that $p$ will be the proposer in some round $r_1 > r$ (this is
|
|
ensured by the $\coord$ function).
|
|
|
|
We have two cases to consider. In the first case, for all rounds $r \ge r_0$
|
|
and $r < r_1$, no correct process locks a value (set $lockedRound$ to $r$). So
|
|
in round $r_1$ we have the scenario from the
|
|
Lemma~\ref{lemma:round-synchronisation}, so all correct processes decides in
|
|
round $r_1$.
|
|
|
|
In the second case, a correct process locks a value $v$ in round $r_2$, where
|
|
$r_2 \ge r_0$ and $r_2 < r_1$. Let's assume that $r_2$ is the highest round
|
|
before $r_1$ in which some correct process $q$ locks a value. By Lemma
|
|
\ref{lemma:validValue} at the end of round $r_2$ the following holds for all
|
|
correct processes $c$: $validValue_c = lockedValue_q$ and $validRound_c = r_2$.
|
|
Then in round $r_1$, the conditions for the
|
|
Lemma~\ref{lemma:round-synchronisation} holds, so all correct processes decide.
|
|
\end{proof}
|
|
|